As we have mentioned previously, participants in Coordinated Vulnerability Disclosure iterate over the following questions:

  1. What actions should I take in response to this knowledge?
  2. Who else should I tell about it?
  3. What should I tell them?

Let's take a moment to explore questions 2 and 2a in a few scenarios. Each of these disclosure options have advantages and disadvantages. In this section, we adapt and expand some terminology from Shepherd [1]:

< 5.1 Choosing a Disclosure Policy | 5.3 Two-Party CVD >

References

  1. S. Shepherd, "Vulnerability Disclosure: How Do We Define Responsible Disclosure?" SANS GIAC SEC Practical Repository, 2003.